Key acronyms, regulatory body names, laws, and concepts for GCC AI, data protection, fintech, and telecom regulation.
Abu Dhabi's international financial free zone. Regulates financial services, virtual assets, and data protection within ADGM.
The financial regulator within ADGM. Issues virtual asset, investment management, and capital markets rules.
Federal UAE central bank. Regulates banks, payment services, open banking, and fintech licensing.
Dubai's financial free zone. Has its own data protection law and financial regulations distinct from UAE federal law.
Financial regulator within DIFC. Issues the Innovation Testing Licence and regulates crypto, banking, and investment within DIFC.
Dubai regulator for virtual asset service providers outside DIFC. Comprehensive rulebook covering exchange, custody, lending, and issuance.
UAE telecom and digital regulator. Manages spectrum, cybersecurity, and digital infrastructure policy.
Federal UAE regulator for securities markets, crowdfunding platforms, and crypto-asset frameworks.
Federal ministry overseeing UAE AI strategy, PDPL enforcement, and industrial technology policy.
Dubai government digital transformation agency. Oversees smart city, data governance, and digital services for Dubai.
Saudi Arabia's national AI and data authority. Publishes AI Ethics Principles and oversees the national data governance framework.
Under SDAIA. Manages data classification, open data policy, and national data management framework.
Saudi Arabia's central bank and financial regulator. Operates a fintech sandbox and has published open banking and AI/ML guidance.
Saudi Arabia's primary cybersecurity authority. Issues the Essential Cybersecurity Controls and cloud security frameworks.
Saudi Arabia's telecom and technology regulator. Manages spectrum, digital services, and cloud infrastructure policy.
Bahrain's central bank and financial regulator. Has one of the GCC's most advanced fintech sandboxes and a dedicated Crypto-Asset Module.
Bahrain's data protection regulator. Enforces the Personal Data Protection Law (PDPDL, 2018) — the oldest comprehensive data law in the GCC.
Bahrain's national cybersecurity agency. Issues national cybersecurity strategies and critical infrastructure protection guidelines.
Qatar's digital ministry. Administers the PDPPL data protection law, national AI strategy, and digital economy frameworks.
Financial regulator within the Qatar Financial Centre (QFC). Covers banking, insurance, investment, fintech, and AI governance within QFC.
Kuwait's central bank. Issues banking supervision guidelines, payment services regulations, and digital banking frameworks.
Kuwait's telecom and IT regulator. Manages spectrum, digital services licensing, and cybersecurity policy.
Federal Decree-Law No. 45/2021. UAE's first comprehensive data protection law. Enforced by MoIAT. Applies to all processing in the UAE except ADGM and DIFC.
2021 GDPR-aligned regulations for ADGM entities. Applies instead of UAE federal PDPL. Administered by the ADGM Office of Data Protection.
DIFC Law No. 5/2020. GDPR-aligned. Applies to DIFC entities instead of UAE federal PDPL. Administered by DIFC Commissioner of Data Protection.
Issued 2021, implemented 2023. Requires explicit consent for sensitive data. Saudi nationals' data must be stored within the Kingdom. Administered by SDAIA.
Law No. 30/2018. Oldest comprehensive data protection law in the GCC. Administered by the PDPA. GDPR-like principles.
Law No. 13/2016, amended 2021. Qatar's national data protection framework. Strict cross-border transfer rules — regulatory approval required for some data categories.
Issued 2023 by VARA. Comprehensive licensing framework for all virtual asset activities in Dubai (outside DIFC). Covers exchange, custody, lending, broker-dealer, VA issuance.
Issued 2023. Requires licensed financial institutions to share customer data via APIs with customer consent. Covers banks, payment providers, insurers.
Issued 2022 by SAMA. Enables third-party access to bank customer data with consent. Part of Vision 2030 financial sector development.
NCA baseline cybersecurity framework for Saudi government entities and critical infrastructure. Includes sector-specific Cloud Cybersecurity Controls (CCC).
Published 2023 by SDAIA. Principles: human-centricity, privacy by design, transparency, explainability, accountability, safety, non-discrimination.
One of the GCC's first crypto licensing frameworks. Regulates crypto exchanges, custodians, and portfolio managers in Bahrain.
Gulf Cooperation Council. The six-member regional bloc: UAE, Saudi Arabia, Bahrain, Qatar, Oman, and Kuwait. Each has independent regulatory frameworks while cooperating on cross-border standards.
A special economic zone with its own laws and regulators, separate from federal law. Key GCC financial free zones: ADGM (Abu Dhabi), DIFC (Dubai), QFC (Qatar). Free zone laws typically override national laws for entities incorporated within them.
Virtual Asset Service Provider. An entity providing virtual asset exchange, transfer, safekeeping, or related financial services. Requires licensing from VARA (Dubai), FSRA (ADGM), DFSA (DIFC), or CBB (Bahrain).
A controlled regulatory environment allowing companies to test innovative products with relaxed licensing under regulator supervision. Operated by CBUAE, ADGM, DIFC, CBB (Bahrain), SAMA (Saudi Arabia), and QFC (Qatar).
A framework requiring banks to share customer financial data with authorised third parties via APIs, with customer consent. Implemented by CBUAE (Open Finance Policy, 2023) and SAMA (Open Banking Framework, 2022).
Regulatory Technology. Software tools used by financial institutions and regulators for compliance, reporting, and supervision. Actively supported through GCC fintech sandboxes.
Decisions made entirely by algorithms without human review. The UAE PDPL, Saudi PDPL, ADGM DPR, and DIFC DPL all impose transparency and human review requirements for decisions with significant effects on individuals.
The requirement to store certain data within a country's borders. Saudi Arabia's PDPL requires sensitive personal data of Saudi nationals to be stored within the Kingdom. Qatar and Bahrain have similar requirements for certain data categories.
Anti-Money Laundering / Counter-Terrorism Financing. A set of laws and regulations requiring financial institutions to identify, report, and prevent money laundering and terrorism financing activities. All GCC countries have AML/CFT frameworks aligned with FATF standards.
An approach requiring data protection to be embedded into products and systems at the design stage, not bolted on later. Required by ADGM DPR and DIFC DPL. Recommended under UAE PDPL and Saudi PDPL.
Retrieval-Augmented Generation. The AI technique used by GCC LexAI: relevant document chunks are retrieved via vector search, then passed to a large language model to generate a cited, grounded answer.
A virtual replica of a physical entity used for simulation, analysis, and optimisation. Referenced in UAE and Qatar digital transformation strategies as a key emerging technology for smart city and infrastructure management.